72 hours and counting – what you need to know about data breach notifications

Under the EU’s GDPR (General Data Protection Regulations), organisations are required to report certain types of personal data breach to the relevant supervisory body – the ICO (Information Commissioner’s Office) in the UK – within 72 hours of becoming aware of the breach. If the breach poses a high risk to individuals’ rights and freedoms, you must also inform those individuals without undue delay.

Would your organisation know what to do if the notification clock suddenly started ticking?

Personal data breaches are far more common than organisations think, so it is prudent to understand – and be prepared for – the event. There are two distinct elements to this. The first is about incident response and being able to deploy a sequence of events to mitigate the impact of a breach. The second is about having efficient processes in place to systematically gather all the information the ICO will require at the time of notification. Being well-placed to do both parts ensures you are able to respond appropriately and effectively while also lessening the impact on daily operations (and reducing the associated stress).

Definition of a personal data breach

A personal data breach is defined by the ICO as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. It goes on to highlight that personal data breaches can include:

Access by an unauthorised third party;

Deliberate or accidental action (or inaction) by a controller or processor;

Sending personal data to an unintended recipient;

Lost or stolen computing devices containing personal data;

Unauthorised alteration of personal data; and

Loss of availability of personal data.

Where is breach notification addressed within the GDPR?

Article 33 specifically relates to the “notification of a personal data breach to the supervisory authority” and Article 34 addresses the “communication of a personal data breach to the data subject”.

When creating your procedure for responding to a data breach, these two articles must be addressed. You should scope out the procedure, responsibilities and steps that your organisation will take to communicate the breach from:

Data processor to data controller;

Data controller to supervisory authority; and

Data controller to data subject.

And you must remember the 72-hour timeframe. If the notification is not made within this window, the data controller must provide a reasonable justification for the delay.

Avoid a scramble

When reporting a data breach, the data controller will need to provide the following information:

An explanation of what has happened.

Details of how and when they found out about the breach.

An indication of how many people have been, or may be, affected by the breach.

An explanation of what is being done as a result of the breach.

Contact details for the main contact in case more information is needed.

Although it sounds like a lot, the process can be eased through effective planning and preparation. Our GDPR Documentation Toolkit provides a complete set of resources that will help ensure you’re prepared and able to answer the ICO’s questions by enabling you to keep track of all the personal data your organisation collects and processes. If you understand your organisation’s data flows, you’ll quickly be able to identify rogue activity and provide a forensic report to the ICO.

How do you notify the ICO of a data breach?

It’s possible to notify the ICO of a data breach verbally over the telephone. The operator will run through questions to capture all the relevant details and send you a copy of the information you’ve provided for your records.

The alternative is to file a report online using the ICO’s ‘personal data breach reporting form’. This approach can be used if you’re confident you’ve dealt with the breach appropriately, or if you’re still investigating the situation and will be providing additional detail later. The online form can also be used to report breaches outside the ICO’s normal opening hours.

Regardless of whether the notification is made verbally or supplied as a report online, if your organisation has suffered a notifiable personal data breach, the same information will need to be compiled and shared with the ICO.

The only way to complete the breach notification process without derailing business operations is by being prepared. With almost one billion personal data records leaked in September alone, action is needed now.